[Zope] Re: CookieCrumbler problem
Gordon Lai
lai at library.ucsf.edu
Thu Oct 14 18:47:17 EDT 2004
Hi Tres,
Thanks for your reply, but login.html isn't protected. I do get a Not
Authorized page when I cancel the basic auth dialog popup, though, but I
assume that shows up because I didn't login to the protected folder. Any
other suggestions? Thanks for suggesting VerboseSecurity.
Gordon
Tres Seaver wrote:
> Gordon Lai wrote:
>
>> Hi,
>>
>> I'm having a problem with CookieCrumbler 1.24. I'm trying to use it
>> with Zope 2.7.2, Python 2.3.4, and LDAPUserFolder 2.4beta3. I want CC
>> to show my login.html when a user accesses a protected folder, but
>> this doesn't happen; the basic auth dialog still pops up. I enter a
>> username and password that authenticates correctly with my LDAP
>> server and then my login.html shows up. On this page I have to enter
>> a correct username, but then any gibberish in the password field will
>> allow me to login; this basically means that the dialog box was doing
>> the real login and this login.html wasn't doing much. I can then
>> logout by clicking a link that calls a Python Script that calls
>> logout() in CC (is this the correct way to logout? CC doesn't have
>> any docs, so I perused its code and found logout()). But now when I
>> try to access the folder again I get instantly logged out because I
>> have code at the top of my index.html ZPT that detects if a session
>> object exists, and if it doesn't it will logout the user. Since I've
>> logged out, a session object does not exist. Basically, the login
>> process is being completely bypassed and I'm hitting index.html
>> directly.
>>
>> The correct login process that I have set up is as follows:
>>
>> 1) CC shows my login.html.
>> 2) The user logs in, which calls index.py.
>> 3) index.py creates a new session and then calls index.html
>>
>> This was working for some time before "something happened" and I am
>> now seeing the above wrong behavior. What am I doing wrong?
>
>
> It sounds as though 'login.html' is protected; what happens if you
> cancel out when the basic auth dialog pops up? What happens there is
> that you get a 401 (because the login form is protected), and the
> cookie crumbler doesn't intercept it (because it knows it is trying to
> challenge already). Then, when you supply basic auth credentials,
> Zope renders the form, but at this point the browser is already
> including the 'Authenticate:' header, which makes the login POST
> handler irrelevant.
>
> BTW, I would recommend installing VerboseSecurity, if the traceback
> doesn't give you enough information:
>
> http://hathawaymix.org/Software/VerboseSecurity
>
> Tres.
More information about the Zope
mailing list